Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 51,346
    • Issues 51,346
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,566
    • Merge requests 1,566
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #14729
Closed
Open
Issue created Sep 04, 2019 by ACD Gruppe@acdgruppe

Group Deploy Keys

Problem to solve

You need to add a deploy key to every project manually in order to use GitLab CI with the same deploy keys across projects. This is so the runner will get permission to clone/fetch other repositories that are internal or private.

This is not very effective, especially if you need to update your key or add a new one.

Intended users

Everyone working with GitLab CI and using the repo tool:

  • Sasha (Software Developer)
  • Devon (DevOps Engineer)

User experience goal

  • The user should be able to configure deploy keys on the group level so they will be accessible in any child project. - Users should find it easy to locate the group deploy keys in a group.
  • Ideally, users should be knowledgable about group deploy keys when being in a project context

Proposal

  • Add a menu option Repository under the group sidebar Settings menu
  • Add a section Deploy keys
  • Group Deploy keys allow read-only or read-write (if enabled) access to your project repositories within the group.
    • Note Group deploy keys do not support protected branches unless #30769 (comment 337230547) is implemented.
  • Deploy keys can be used for access to environments. You can create a group deploy key or add an existing one.
    • Note Group deploy keys do not support protected environments unless #223748 is implemented
  • Project deploy keys are unique within the same instance. This means they can't be both be added in User settings > SSH keys and in a group's or project's deploy keys section.
    • This is shown with an error message similar as for project deploy keys (depicted at #14729 (comment 387842401))
  • Group deploy keys inherit the same read/write access given to the key to the entire group.
  • Group deploy keys are shown the same way as instance level deploy keys within a project's deploy keys context.

UI layout of Deploy keys section:

Similar to the project settings section at /settings/repository to begin with. This should ideally be moved to a similar creation flow as variables with a modal containing the creation flow.

#### Deploy Keys

Deploy keys allow read-only or read-write (if enabled) access to your group's repositories. Deploy keys can be used for CI, staging, or production servers. You can create a deploy key or add an existing one.

Create a new deploy key for this group.

Title

[FIELD]

Key

[FIELD]

Paste a machine public key here. Read more about how to generate it [here](https://gitlab.com/help/ssh/README).

* [ ] Write access allowed
      Allow this key to push to __all of this group's repositories__ as well? (Default only allows pull access.)

Deploy keys table:

[TAB][Enabled deploy keys][NUM] [TAB][Privately accessible deploy keys][NUM] [TAB][Publicly accessible deploy keys][NUM]

[HEADER][Deploy key]       [HEADER][Project usage]                                      [HEADER][Created]

[ROW]{Title}{Fingerprint}  [BADGE per Project]{Project reference}{Access level icon}    [Date]{icon:calendar}{time ago}         [ACTIONS]{Enable}{Disable}{Remove}{Edit}

Further details

Permissions and Security

Everyone who has access to Group > Settings > CI / CD should be able to add Group Deploy Keys/Tokens.

  • Add expected impact to Maintainer (40) members
  • Add expected impact to Owner (50) members

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Core or Starter

Is this a cross-stage feature?

Links / references

Edited Aug 11, 2020 by Dimitrie Hoekstra
Assignee
Assign to
Time tracking